Hi!

A scan with spybot gives me the message
Win32.Murlo.ff.rtk
Program file
c:\WINDOWS\Temp\startdrv.exe
Autorun settings(startdrv)
HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\Run\startdrv

Spybot does not remove these entries and not after reboot. Also no removal in Save Mode.

AVG also lists c:\WINDOWS\Temp\startdrv.exe
as infected and is not able to remove it.

startdrv.exe always comes up as a start-up item.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 21, 2007 8:22:43 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/11/2007
Kaspersky Anti-Virus database records: 462659
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 136929
Number of viruses found: 4
Number of infected objects: 20
Number of suspicious objects: 10
Duration of the scan process: 01:12:52

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\startdrv.exe Object is locked skipped
C:\WINDOWS\Temp\ZLT06d78.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06d7c.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{EDD74686-53CD-4AA7-98D3-381B72A6F1AB}.bin Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\ACER1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk2.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk4.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk6.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk12.zip/startdrv.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk12.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\yummy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temp\~DF9198.tmp Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\History\History.IE5\MSHist012007112120071122\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-60fb7187-5906cb00.zip/BnnnnBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-60fb7187-5906cb00.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-60fb7187-5906cb00.zip/Bnnnnn.class Infected: Trojan.Java.ClassLoader.as skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-60fb7187-5906cb00.zip ZIP: infected - 3 skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6f9fd8cf.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6f9fd8cf.zip ZIP: infected - 1 skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7181db3a.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-7181db3a.zip ZIP: infected - 1 skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-3b9b6fc8.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-3b9b6fc8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-646af7dc/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-646af7dc ZIP: infected - 1 skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-33f04ab4/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-33f04ab4 ZIP: infected - 1 skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-3146d2c0/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-3146d2c0 ZIP: infected - 1 skipped
C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111212.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111212.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\change.log Object is locked skipped
D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111210.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111210.exe WiseSFX: infected - 1 skipped
D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\change.log Object is locked skipped

Scan process completed.
-----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:36 AM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\allume systems\internet cleanup 5.0\cleaner\icserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - (no file)
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Quick Fill Toolbar - {7BE2E2E3-4B8A-4fe4-BE98-95FA313FDD19} - (no file)
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [SpybotDeletingA374] command /c del "C:\WINDOWS\Temp\startdrv.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9632] cmd /c del "C:\WINDOWS\Temp\startdrv.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA144] command /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8512] cmd /c del "C:\WINDOWS\SchedLgU.Txt_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2005] command /c del "C:\WINDOWS\Temp\startdrv.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5602] cmd /c del "C:\WINDOWS\Temp\startdrv.exe_tobedeleted"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: icservice - Aladdin Systems, Inc. - c:\program files\allume systems\internet cleanup 5.0\cleaner\icserv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 8169 bytes

Thanks in advance for your help!

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

See this information: http://www.dslreports.com/forum/r18501103-Anyone-seeing-Startdrvexe-in-TEMP
You said this:
AVG also lists c:\WINDOWS\Temp\startdrv.exe
as infected and is not able to remove it.

Your HJT log is showing nothing, so we are probably dealing with a rootkit infection.

Kaspersky report: November 21, 2007 8:22:43 AM

C:\WINDOWS\Temp\startdrv.exe Object is locked skipped Kaspersky sees it but the rootkit is probably hiding the fact it is malware.

You are storing a load of junk in Spybot's Recovery folder, clean it all out.
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

Your Java cache is infected, clean it out also.
C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml

System Restore has infected files, we will clean that near the end.

I need some information, see if BlackLight can supply any:
Please download F-Secure Blacklight:
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe
(fsbl.exe) and save to your C:\ drive.
Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.

after you finish with BlackLight and have the log to post, then follow these directions:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the log from Blacklight, the log from combofix and a new HJT log.

Thanks

Hi!

I cleaned out the Spybot's Recovery folder.

I deleted the content of C:\Documents and Settings\yummy\Application Data\Sun\Java\Deployment\cache\. It is now in the Recycle Bin.

Here are the requested logs:

11/23/07 04:56:23 [Info]: BlackLight Engine 1.0.67 initialized
11/23/07 04:56:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/23/07 04:56:24 [Note]: 7019 4
11/23/07 04:56:24 [Note]: 7005 0
11/23/07 04:57:02 [Note]: 7006 0
11/23/07 04:57:02 [Note]: 7022 0
11/23/07 04:57:02 [Note]: 7011 528
11/23/07 04:57:03 [Note]: 7026 0
11/23/07 04:57:03 [Note]: 7026 0
11/23/07 04:57:05 [Note]: FSRAW library version 1.7.1024
11/23/07 04:57:21 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\DRIVERS\RUNTIME2.SYS
11/23/07 04:57:21 [Note]: 7002 0
11/23/07 04:57:21 [Note]: 7003 1
11/23/07 04:57:27 [Note]: 2000 1012
11/23/07 04:57:27 [Note]: 2000 1012
11/23/07 04:57:27 [Note]: 2000 1012
11/23/07 04:57:27 [Note]: 2000 1012
11/23/07 04:57:27 [Note]: 2000 1012
11/23/07 04:58:30 [Note]: 7007 0

ComboFix 07-11-19.3 - yummy 2007-11-23 5:05:52.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.561 [GMT -8:00]
Running from: C:\Documents and Settings\yummy\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\yummy\Application Data\macromedia\Flash Player\#SharedObjects\MCM9XHMN\www.broadcaster.com
C:\Documents and Settings\yummy\Application Data\macromedia\Flash Player\#SharedObjects\MCM9XHMN\www.broadcaster.com\played_list.sol
C:\Documents and Settings\yummy\Application Data\macromedia\Flash Player\#SharedObjects\MCM9XHMN\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\yummy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\yummy\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\8_exception.nls
C:\WINDOWS\system32\autorun.ini
C:\WINDOWS\system32\drivers\runtime2.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2


((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-14 11:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-14 11:31 812,344 --a------ C:\Program Files\HJTInstall.exe
2007-11-14 08:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-14 08:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 09:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SolidDocuments
2007-11-11 15:33 <DIR> d-------- C:\Program Files\AsfTools 3.1
2007-11-04 10:39 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-11-04 02:28 14,603,672 --a------ C:\Program Files\jre-6u3-windows-i586-p.exe
2007-11-02 17:09 54,904,636 --a------ C:\Program Files\PhET-1.0-windows-installer.exe
2007-10-29 13:03 <DIR> d-------- C:\Documents and Settings\yummy\Application Data\Apple Computer
2007-10-29 12:58 <DIR> d-------- C:\Program Files\QuickTime
2007-10-29 12:57 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-29 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-29 12:47 20,256,064 --a------ C:\Program Files\QuickTimeInstaller.exe
2007-10-23 08:10 5,329 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 10:18 916,072 ----a-w C:\fsbl.exe
2007-11-22 22:00 2,859,870 ----a-w C:\Program Files\WorkingMpegJoiner.rar
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-14 11:02 --------- d-----w C:\Program Files\The KMPlayer
2007-10-14 10:40 6,060,143 ----a-w C:\Program Files\srad_hb.zip
2007-10-05 23:53 195,016 ----a-w C:\Program Files\Outlook-Profile-Setup.exe
2007-10-04 09:28 --------- d-----w C:\Program Files\MasterSplitter
2007-10-01 12:49 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe
2007-10-01 12:48 2,384,591 ----a-w C:\Program Files\ac3filter_1_46.exe
2007-10-01 12:47 475,844 ----a-w C:\Program Files\OggDS0995.exe
2007-09-24 08:27 4,037,953 ----a-w C:\Program Files\ffdshow_rev1473_20070910_clsid.exe
2007-09-03 07:33 3,333,704 ----a-w C:\Program Files\office-kb938888-fullfile-x86-glb.exe
2007-09-02 06:50 4,619,608 ----a-w C:\Program Files\Zinio_Reader_Setup_2317068646.exe
2007-08-27 05:22 5,970,944 ----a-w C:\Program Files\irfanview_plugins_400_setup.exe
2007-08-27 05:18 1,156,096 ----a-w C:\Program Files\IrfanView400.exe
2007-08-27 01:19 26,920,408 ----a-w C:\Program Files\avg75free_484a1103.exe
2007-08-14 17:58 517,633,491 ----a-w C:\Program Files\Office-2007.exe
2007-07-06 07:01 6,010,424 ----a-w C:\Program Files\Firefox Setup 2.0.0.4.exe
2007-07-06 00:00 137,754 ----a-w C:\Program Files\uninstall_flash_player.exe
2007-07-05 23:04 15,505,200 ----a-w C:\Program Files\IE7-WindowsXP-x86-enu.exe
2007-07-05 22:22 23,402,288 ----a-w C:\Program Files\AdbeRdr810_en_US.exe
2007-07-05 11:40 128,344 ----a-w C:\Program Files\Download_AVSVideoEditorTrial.exe
2007-07-02 20:50 17,896,352 ----a-w C:\Program Files\aaw2007.exe
2007-06-14 09:31 5,275,968 ----a-w C:\Program Files\getright_setup.exe
2007-05-23 17:49 5,133,824 ----a-w C:\Program Files\solidcapture_edu.exe
2007-05-17 17:18 8,984,686 ----a-w C:\Program Files\nod32v2.1.rar
2007-04-30 09:15 22,091,584 ----a-w C:\Program Files\Google_1_.Earth.Pro.v4.0.2737-FF.exe
2007-04-22 04:14 842,384 ----a-w C:\Program Files\7z445.exe
2007-04-09 13:44 4,517,296 ----a-w C:\Program Files\MathType52Setup.exe
2007-04-08 12:04 586,913 ----a-w C:\Program Files\ph14e.exe
2007-04-08 11:38 5,514,545 ----a-w C:\Program Files\physlet.exe
2007-04-08 05:38 1,418,608 ----a-w C:\Program Files\saSetup.exe
2007-04-02 00:49 15,436,440 ----a-w C:\Program Files\zapSetup_70_337_000_en.exe
2007-04-01 08:55 3,467,872 ----a-w C:\Program Files\registryboosteraff.exe
2007-03-14 23:07 28,399,752 ----a-w C:\Program Files\FileFormatConverters.exe
2007-02-20 20:27 3,090 ----a-w C:\Program Files\uninstal.log
2007-02-20 20:05 4,399,277 ----a-w C:\Program Files\friskiesCalendarInstall.exe
2007-01-24 19:16 3,639,544 ----a-w C:\Program Files\XnView-win.exe
2007-01-21 14:44 969,480 ----a-w C:\Program Files\nandub-binary-0.29.1.rar
2007-01-21 14:44 1,249,722 ----a-w C:\Program Files\VirtualDub-1.7.0.zip
2007-01-02 23:10 12,999,702 ----a-w C:\Program Files\kmp.exe
2006-12-08 12:39 10,569,371 ----a-w C:\Program Files\vlc-0.8.6-rc1-win32.exe
2006-12-05 04:39 1,921,846 ----a-w C:\Program Files\mpc98me-6490.zip
2006-11-18 22:44 11,953,610 ----a-w C:\Program Files\quicktimealt176lite.exe
2006-11-17 18:27 1,601,806 ----a-w C:\Program Files\avg_asw_uma_en_75_4.pdf
2006-11-17 18:26 6,469,352 ----a-w C:\Program Files\avgas-setup-7.5.0.50.exe
2006-11-17 18:26 17,515,272 ----a-w C:\Program Files\avg75free_430a848.exe
2006-11-17 18:25 489,383 ----a-w C:\Program Files\avg_fwf_sgd_en_71_4.pdf
2006-11-17 18:25 457,625 ----a-w C:\Program Files\avg_aff_uma_en_75_3.pdf
2006-10-15 14:16 4,229,261 ----a-w C:\Program Files\aawseplus.exe
2006-10-15 13:41 768,522 ----a-w C:\Program Files\eraser53.zip
2006-10-15 12:34 47,944,421 ----a-w C:\Program Files\InternetCleanup5.exe
2006-10-15 11:44 643,711 ----a-w C:\Program Files\XviD-1.1.0-30122005.exe
2006-10-13 23:38 5,037,072 ----a-w C:\Program Files\spybotsd14.exe
2006-10-13 23:13 13,714,856 ----a-w C:\Program Files\zlsSetup_65_737_000_en.exe
2006-10-13 21:31 18,620,504 ----a-w C:\Program Files\avg71free_408a815.exe.exe
2006-10-13 13:33 1,035,090 ----a-w C:\Program Files\wrar361.exe
2006-09-02 00:15 158,208 ----a-w C:\Program Files\msconfig.exe
2006-06-22 12:35 741,500 ----a-w C:\Program Files\Image_Grabber.zip
2006-01-08 09:39 1,469,033 ----a-w C:\Program Files\flvs_ft.exe
2005-12-05 05:28 4,763,648 ----a-w C:\Program Files\irfanview_plugins_397.exe
2005-12-05 05:24 895,488 ----a-w C:\Program Files\iview397.exe
2005-11-02 05:10 6,560,122 ----a-w C:\Program Files\realalt144.exe
2005-11-02 00:50 8,274,695 ----a-w C:\Program Files\vlc-0.8.2-win32.exe
2005-09-11 06:10 2,763,198 ----a-w C:\Program Files\bsplayer136.825.exe
2005-07-25 03:36 967,066 ----a-w C:\Program Files\ImageGraberII.exe
2005-03-04 05:20 8,814,920 ----a-w C:\Program Files\TMPGEnc-2.524.63.181-Plus-EN-Installer-DL.exe
2005-02-02 00:16 16,994,896 ----a-w C:\Program Files\solidconverterpdfinstall.exe
2005-01-29 20:14 501,363 ----a-w C:\Program Files\QuickPar-0.9.1.0.exe
2004-02-29 08:12 232,695 ----a-w C:\Program Files\hkSFVsetup.exe
2003-12-11 10:22 1,733,021 ----a-w C:\Program Files\TMPGEnc-2.521.58.169-Free.zip
2003-08-16 03:23 431,096 ----a-w C:\Program Files\divx_3d.exe
2003-07-19 08:35 3,211,306 ----a-w C:\Program Files\ezjoiner-5.21.exe
2003-07-02 10:37 412,199 ----a-w C:\Program Files\asftools310.exe
2003-03-25 15:49 819,200 ----a-w C:\Program Files\SAFlashPlayer.exe
2002-12-28 23:24 3,403,794 ----a-w C:\Program Files\reninst.exe
2002-05-16 14:44 4,346,960 ----a-w C:\Program Files\mtw50.exe
2001-12-29 21:17 448,512 ----a-w C:\Program Files\mspt32install.exe
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" []
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 10:50 C:\WINDOWS\AGRSMMSG.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43]
"EPM-DM"="c:\acer\epm\epm-dm.exe" [2005-01-25 14:02]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-01-21 15:21]
"LManager"="C:\Program Files\Launch Manager\QtZgAcer.EXE" [2004-12-09 12:35]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-22 09:23]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 05:00 C:\WINDOWS\system32\bthprops.cpl]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 10:24 C:\WINDOWS\SoundMan.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"UniKey"="" []
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"360SCProgram"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-22 09:23]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2006-11-11 04:07:07]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eraser]
C:\Program Files\Eraser\eraser.exe -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICTray]
2006-04-18 17:23 405504 --a------ C:\Program Files\Allume Systems\Internet Cleanup 5.0\ICTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 -reboot 1

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"AlcWzrd"=ALCWZRD.EXE
"High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SoundMan"=SOUNDMAN.EXE
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
"Alcmtr"=ALCMTR.EXE
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

R1 UBHelper;MRW remapping;C:\WINDOWS\system32\drivers\UBHelper.sys
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R2 icservice;icservice;"c:\program files\allume systems\internet cleanup 5.0\cleaner\icserv.exe"
R2 ipasintf;ipasintf;\??\C:\WINDOWS\System32\drivers\pas2k.sys
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.sys
R3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 CBTNDIS5;CBTNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\CBTNDIS5.SYS
S3 int15.sys;int15.sys;\??\C:\Program Files\acer\eRecovery\int15.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03b37d08-5df2-11db-a1f0-00c09fa71202}]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7476ccaa-6e7f-11db-a1ff-00c09fa71202}]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 05:12:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-23 5:14:36 - machine was rebooted
.
--- E O F ---

Continued:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:23:49 AM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\allume systems\internet cleanup 5.0\cleaner\icserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - (no file)
O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Quick Fill Toolbar - {7BE2E2E3-4B8A-4fe4-BE98-95FA313FDD19} - (no file)
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - C:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: icservice - Aladdin Systems, Inc. - c:\program files\allume systems\internet cleanup 5.0\cleaner\icserv.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 7467 bytes


After finishing the above tasks, I ran AVG and there was no more virus alert c:\WINDOWS\Temp\startdrv.exe. The file startdrv.exe is no longer in c:\WINDOWS\Temp\.

However, AVG found and quarantained two other things:
1. Virus Name: Trojan horse BackDoor.Generic8.TNU
Path: C:\System Volume Information\_restore{....}\RP391\A0113009.sys
File: A0113009.sys
2. Virus Name: Trojan horse BackDoor.Generic8.TNU
Path: C:\qoobox\Quarantaine\C\WINDOWS\system32\drivers\runtime2.sys.vir
File: runtime2.sys.vir

I ran AVG again and it found no problems.
Then I ran spybot and it found no problems

Again thank you very much. Waiting for your response.

Thanks for returning your information, BlackLight has found a hidden rootkit.
11/23/07 04:57:21 [Info]: Hidden file: c:\WINDOWS\SYSTEM32\DRIVERS\RUNTIME2.SYS
See this: http://www.bleepingcomputer.com/startups/runtime2-18249.html

But...it looks like combofix deleted the bad file for you, I am assuming you ran BlackLight first, see this:
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\drivers\runtime2.sys

What I would like you to do is run BlackLight again to make sure that item is gone. You do not have to post the scan, just tell me.

However, AVG found and quarantained two other things:one is an infected System Restore file we will clean last, the other is the combofix quarantine folder we will delete soon.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:23:49 AM, on 11/23/2007

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(not malware, just trash)
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - (no file)
O2 - BHO: Quick Fill Toolbar - {7BE2E2E3-4B8A-4fe4-BE98-95FA313FDD19} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

If Blacklight is clean, then remove combofix from your computer, make sure you delete the C:qoobox\quarantine\ folder. Now scan with Kaspersky and post the results.

*** empty the Recycle Bin before you scan***

Thanks...Phil

Hi!

I did run BlackLight again. It looks fine. To be sure, I post it here:

11/25/07 05:12:40 [Info]: BlackLight Engine 1.0.67 initialized
11/25/07 05:12:40 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/25/07 05:12:40 [Note]: 7019 4
11/25/07 05:12:40 [Note]: 7005 0
11/25/07 05:12:53 [Note]: 7006 0
11/25/07 05:12:53 [Note]: 7022 0
11/25/07 05:12:53 [Note]: 7011 836
11/25/07 05:12:53 [Note]: 7026 0
11/25/07 05:12:53 [Note]: 7026 0
11/25/07 05:12:55 [Note]: FSRAW library version 1.7.1024
11/25/07 05:13:39 [Note]: 2000 1012
11/25/07 05:13:39 [Note]: 2000 1012
11/25/07 05:13:39 [Note]: 2000 1012
11/25/07 05:13:39 [Note]: 2000 1012
11/25/07 05:13:39 [Note]: 2000 1012
11/25/07 05:13:39 [Note]: 2000 1012
11/25/07 05:14:18 [Note]: 7007 0

Then I ran HijackThis and removed
O2 - BHO: (no name) - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - (no file)
O2 - BHO: Quick Fill Toolbar - {7BE2E2E3-4B8A-4fe4-BE98-95FA313FDD19} - (no file)

Then I ran ATF Cleaner. Next step would be to remove combofix. I don't see it in "Add/Remove Programs" from the control panel. So do I just delete it from the desktop, delete the C:qoobox\quarantine\ folder and then empty the recycle bin? There is then stil some other stuff in C:qoobox.

Thanks.

C:\qoobox. <<< delete all things combofix, it does not update so has to be downloaded fresh if ever needed again. The quantine folder would have been in the C:\qoobox\ folder

Thanks

I erased combofix from the desktop and qoobox from C:\. I ran AFTCleaner again and then Kaspersky. Here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 25, 2007 2:03:41 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 465546
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 134526
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:10:07

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\ZLT06330.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0632d.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\ACER1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\yummy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temp\~DFFA6D.tmp Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\History\History.IE5\MSHist012007112520071126\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP392\change.log Object is locked skipped
C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111212.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111212.exe WiseSFX: infected - 1 skipped
D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111210.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111210.exe WiseSFX: infected - 1 skipped
D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP392\change.log Object is locked skipped

Scan process completed.

Thank you very much.

KASPERSKY ONLINE SCANNER REPORT Sunday, November 25, 2007 2:03:41 PM
Number of infected objects: 4

C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111212.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111212.exe WiseSFX: infected - 1 skipped

D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111210.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP388\A0111210.exe WiseSFX: infected - 1 skipped

Looks like all in infected System Restore files and it seem to be duplicated on the two drives?

I don't know why you are running System Restore on two drives?
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

The 4 infected files in System Restore are getrt45d.exe, the installation file for GetRight 4.5. I removed them from this computer. Actually, I doubt that there is something wrong with this file.

I don't know why System Restore runs on both the C and D drive. That's how the computer must have been setup from the start.

So how do I proceed now? Unless you tell me otherwise, I delete the four files in question. Then using this info

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

I stop system restore on the D drive and set a new restore point for the C drive.

Correct?

Thanks again!

To tell you the truth, I have never seen System Restore running on two drives on the same computer. Here is information about System Restore:
http://www.google.com/search?hl=en&q=what+is+system+restore&btnG=Search
If your questions are not answered there, try here:
http://support.microsoft.com/

Thanks

Phil,

I deleted the two infected files A0111212.exe and A0111210.exe from System Restore and the Recycle Bin and ran Kaspersky again. Here is the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 25, 2007 5:28:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/11/2007
Kaspersky Anti-Virus database records: 465602
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 134604
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:10:20

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\ZLT06330.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0632d.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\ACER1.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\yummy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temp\~DFFA6D.tmp Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\History\History.IE5\MSHist012007112520071126\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\yummy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\yummy\Cookies\index.dat Object is locked skipped
C:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP393\change.log Object is locked skipped
D:\System Volume Information\_restore{4FE9DE13-0068-472E-89C3-D392849B5DAD}\RP393\change.log Object is locked skipped

Scan process completed.

Looks ok now. So what is next? Do I set a new restore point now? I can set a new point for the C drive and not have System Restore on the D drive or I can have it on both. But that seems to be a different issue I have to look into. As far as the infection with Win32.Murlo.ff.rtk Download Trojan is concerned am I ok now?

Thank you very much.

KASPERSKY ONLINE SCANNER REPORT Sunday, November 25, 2007 5:28:59 PM
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0

I would say you are good to go. I would also set a new restore point:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

All system restore points are deleted. Now you should manually create a restore point.
1. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
2. Click Create a Restore Point, and then click Next.
3. Name your restore point. (I use the date as well as a descriptive term such as "After Restore Point Deletion.")

Thanks

All done. Thank you very much!:bighug: